header-logo
Suggest Exploit
vendor:
Appointment Booking Calendar
by:
Joaquin Ramirez Martinez
9
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Appointment Booking Calendar
Affected Version From: 1.1.24
Affected Version To: 1.1.24
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 10 + Firefox + sqlmap 1.0
2016

WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)

A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24. The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called. Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´ function). The vulnerable code is: $myrows = $wpdb->get_results( "SELECT * FROM ".CPABC_APPOINTMENTS_CONFIG_TABLE_NAME." WHERE conwer=$conwer ORDER BY `".CPABC_TDEAPP_CONFIG_ID."` DESC" ); The variable ´$conwer´ is not sanitized and is used in the query.

Mitigation:

Sanitize the variable ´$conwer´ before using it in the query.
Source

Exploit-DB raw data:

# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.

===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
a calendar**. The booking form is linked to a **PayPal** payment process.

You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
that can be accepted for each time-slot."

(copy of readme file)


======================
EXPLOITATION TECHNIQUE
======================
remote

==============
SEVERITY LEVEL
==============

critical

================================
TECHNICAL DETAILS && DESCRIPTION
================================

A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.

The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
The action is added with ´init´ tag, so it function is called every time when parameter 
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.

Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).

The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
can compromise the entire web server.

================
PROOF OF CONCEPT
================

An unauthenticated attacker can make a request like...

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
&cpabc_calendar_update=1&id=<owned calendar id>

Example:

	Exploiting simple SQL injection:

	http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
	&cpabc_calendar_update=1&id=1
	
	Post data:
	specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
	&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5&	imeWorkingDates6  

All post variables are vulnerable to SQLi with ´addslashes´ bypass.

===============
VULNERABLE CODE
===============

located in ´cpabc_appointments.php´

function cpabc_appointments_calendar_update() {
    global $wpdb, $user_ID;

	if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
		return;

    $calid = intval(str_replace  (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
    if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
        return;
echo "sa";
    cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');

    //@ob_clean();
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Pragma: no-cache");
    if ( $user_ID )    
        $wpdb->query("update  ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
		.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
		"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
		CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
		.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
		.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
		."='".$_POST["timeWorkingDates6"]."'  where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);

    exit();
}


===========


Note:
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.


==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	strparser[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-27 released plugin version 1.1.25
2016-01-28 public disclousure

Navigation

Suggest Exploit

Services By CQR